Comments on the EU Commission’s Flawed Cybersecurity Strategy

On Thursday February 7th 2013, during a press conference, the European Commission announced a milestone initiative in the field of “cybersecurity”, publishing two documents:

- A proposal for a directive“concerning measures to ensure a high common level of network and information, security across the Union” (apparently nicknamed the “NIS directive”).

- A communicationon a “CyberSecurity Strategy of the European Union : An Open, Safe and Secure Cyberspace”.

Both the press conference of commissioners Kroes, Malmström and Ashton as well as the documents released show two things: the Commission is not taking freedom seriously in Internet policy, and it might be paving the way for the militarization of cyberspace.

EC should start by getting the math right

The commissioners started off by relaying vague and inflated statistics about the cost of cybercrime (several studies have already debunked some of these). From copyright enforcement to cybersecurity policy debates, bogus numbers remain, in this case to the benefit of the security and surveillance industry1. This is classic, lobby-induced threat inflation (on that note, see Brito & Watkins’s 2011 article: Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy).

Then, the commissioners moved to the substance of the proposal. Things were not particularly clear and specific, as the questions of the journalists sitting in the press room would later reveal. The few reporters in attendance had interesting questions, but unfortunately these were largely unrelated to the actual texts2. They had apparently not been able to read the recent leaks of both documents by anonymous Brussels sources, released on the Internet last month (as I write, the documents officially released yesterday still cannot be found on the EU Commission website). Going over the 60-plus pages of the proposed directive and the accompanying communication, it becomes clear that the EU cybersecurity strategy suffers from several flaws…

Towards a centralized network of cybersecurity authorities

The proposed “Network and Information Security” directive aims to set up a “NIS network” of “cybersecurity firemen”, headed by the EU agency ENISA (created in 2004 and based in Athens). ENISA will lead a group of national counterparts, as each Member State shall have its own NIS authority. For the most part, these already exist and are usually primarily in charge of defense and military networks (see this analysis by computer security researcher at Cambridge University, Prof. Ross Anderson, about how the proposal risks centralizing cybersecurity policy-making within the public sector).

This centralized network of de facto cybersecurity policy-makers will operate out of public scrutiny, with the always-convenient excuse of handling “confidential information” (see recital 17 and 18). Behind the scene, these public authorities of course risk being under the harmful influence of security vendors, other “private sector providers”, the military and other parts of governments, who will help pushing for the kind of fear-mongering displayed at the very beginning of the press conference.

The new “data breach disclosure” obligations that made the headlines are actually very limited. Cases of data breaches may be made public, at the sole discretion of NIS authorities. As Prof. Anderson, points out:

“Whereas security-breach notification laws in the USA require firms to report breaches to affected citizens, articles 14 and 15 instead require breach notification to the ‘competent authority’. Notification requirements can be changed later by order (14.5-7) and the ‘competent authorities’ only have to tell us if they determine it’s in the “public interest” (14.4).”

What is more, this NIS network will also be absorbing a potentially enormous amount of information (article 15.2) from virtually all the significant players of the Internet (which are among the many “market operators” impacted, see Annexe IV). In return, these “market operators” will be able to benefit from cheaper insurance premiums if they properly follow the recommendations on security practices. In other cases, they simply won’t have the choice: NIS authorities will have the power to issue “binding instructions to market operators and public administrations”, as provided by article 15.3 (instructions elaborated how? Following what procedures or criteria? It is not said). Meanwhile, the EU Commission will be given broad competency to impose “standards and/or technical specifications relevant to network and information security” (article 16). Another carte blanche for corporate lobbies to impose their standards in the comfort of the Brussels maze.

Finally, the NIS network will work with Computer Emergency Response Teams (CERTs are official security experts teams, already exist, but will be beefed up under the proposed directive) and law enforcement agencies, especially Europol’s brand-new EC3: the “European Cyber Crime Center” (watch this “cool” video to get a sense of how hype EC3 is)…

The strategy’s missing players

This all could have been a little different. And better.

For instance, the Commission could have promoted a more decentralized governance of cybersecurity, insisting on procedural safeguards on how cybersecurity policy is made and conducted (at least general but tangible principles). Many peoples in many places today are doing a great job in ensuring the resiliency of the Internet, and would have probably welcome real guarantees for broad participation in open policy fora (guarantees enacted preferably not just as a nice gesture, but out of conviction that it is how you can best ensure trust and reliability of cybersecurity practices).

But these players (in academia, in civil liberty organizations, in hackerspaces, etc.) are mostly kept out of the loop in the announced strategy. And they have reasons to worry. Not only can they righlty question the competence of the EU executives in caring after the Internet. Actually, several state actors —including in EU and US— are rather promoting “cyber-insecurity” (i.e: trade of Zero-Day exploits, dubious “cyberattacks” experiments, attendance in trade fairs on Internet surveillance, etc.) than fighting it. They also have to bear the risk of repression posed by directive 2010/0273 on “combating attacks against information systems”, which is currently in first reading in the EU Parliament and could criminalize security researchers and “white-hat” hackers.

Trying to put some “net freedoms” flavor

The Commission tried hard to make as if this was actually about promoting freedoms online (the Commission put these sweet words in bold and, even less subtly, even managed to have “open internet and online freedoms” in the title its press release!). But the articles of the proposed directive on cybersecurity and the overall strategy bring very little protection to the rights of Internet users, and none to the decentralized architecture of the network (for example, the documents make no mention of Net neutrality). In the end, the substance of it all comes down to a few supposedly reassuring lines:

– The cybersecurity communication released alongside the directive makes mention of theNO DISCONNECT strategy aimed at helping “cyber-dissidents” announced in late 2011 by Neelie Kroes4, and which has yet to achieve anything significant (see below).

– The Commission is also announcing the upcoming release of international guidelines on freedom of expression “offline and online” to assist its diplomacy.

– … (fill in with the other similar “net freedoms” overtones in there).

Overall, these good words will do very, very little to put into practice the “Digital Freedom Strategy” report adopted by the EU Parliament in December 2012, or any of the policy proposals made by civil society and academia to better protect human rights online, both in the EU and globally.

In the meantime…

In the meantime, no ad hoc and effective regulation exists for regulating the use of privacy invasive technologies in network architectures5. And Net neutrality is officially abandonned as a regulatory objective by Neelie Kroes.

In the meantime, workshops and consultations are being organized in Brussels about the DISCONNECT strategy, while free speech NGOS are left suing “censorware” vendors before the… OECD (the OECD is not known to be an actual judicial authority but, at least they have some useful words put on paper against what these companies appear to have done —and still seem to be doing— in authoritarian regimes around the world. See the RSF press release). There are also criminal charges brought in France for complicity of torture against Amesys for its former cooperation with Kaddhafi’s political police. However, the trial is taking quite a long time; Amesys and its technologies have been absorbed by BULL (Amesys and its bad publicity were then sold by BULL), the French government invests public money in BULL; and BULL thrives on defense and private-sector contracts, in France and abroad6. It is also very hard to have any information on these companies’ controversial activities, in spite of parliamentary requests to governments7, or information on whether and how they are being regulated under dual-use export controls (most likely, they are not). It’s business as usual.

In the meantime, in an interview, the EC3 chief Troels Ørting lists “hacktivism” as a cybersecurity threat alongside terrorist activities and extremism. This shows once again that high-ranking officials tend to overlook crucial policy distinctions in apprehending the “cybercrime” phenomenon as well as politically-motivated hacking and other forms of online civil disobedience.

This one-size-fits-all issue is also absolutely obvious in the cybersecurity strategy. Dutch Member of the EU Parliament Sophia In ‘t Veld, who reacted to the leaks, offers an explanation for why it is so, saying:

“It looks like almost every Directorate General (department) in the Commission wanted to write its own bit of the strategy. It bothers me that all these different policy areas are being lumped together in one document. It covers so much, from internet fraud and illegal downloading, to child pornography and international security (…). The lines are being blurred and we need to safeguard the fundamental rights we expect in a democracy and not cede disproportionate powers to law enforcement.”

After the Telecoms Package, after HADOPI, after SOPA/PIPA, after CISPA, after ACTA, after the WCIT, our dear democracies still don’t seem to get it right. And so we are left watching our political system put much effort and spending lots of time on discussions that in the end deliver so little. Repressive proposals keep coming. One after the other. A significant “core” of policy-makers remains stuck in fear, and keeps refusing to put the protection of freedoms online onto the legislative agenda or promote the decentralized governance model that has worked so well for the Internet.

Will more citizen pressure on Internet policy-making do the trick? Will the EU Parliament come to the rescue? Because this proposed NIS directive could use some serious improvement. At any rate, a much more open discussion on cybersecurity policy is urgent.

7. The French parliamentary committee set up to investigate the Amesys case was not able to get into real discussions with the government on this matter. The Figaro ran an article mentioning that the French equivalent of the NSA (DCRI) had acquired one of Amesys mass Internet surveillance system, “Eagle”. It did not go further than that. Nobody even talked about it. No debate.